An important thing when we use PDO is that we must set an attribute that force to not use emulate in prepared statements because prepared statements are not used by default (!). To fix it, add this lines:
// use real prepared statements

$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

In the unsafe example above we are using mysql extension instead mysqli or pdo, where we can minimize impact of the SQLi attack using mysql_real_escape_string() function.